@expo/env — Greenflagged

hydrate environment variables from .env files into process.env

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

idebrentvatneevanbaconexpoadminexponentbycedrickudochienalanhughestsapetaexpo-botphilplwschurman

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	missing-githead	AI (provenance): Expo canary releases are published outside standard CI; missing gitHead is expected for this release channel and not a meaningful risk signal for this package.	ai	2026/04/23
maintainer-change	maintainer-added	AI (maintainer-change): tsapeta is a known Expo/React Native contributor; addition reflects legitimate team expansion within the Expo org, not a takeover.	ai	2026/04/23
provenance	no-provenance	AI (provenance): Canary/pre-release builds from the Expo monorepo are not published via Sigstore-attested CI; absence of provenance is expected for this release type.	ai	2026/04/23
publish-pattern	suspicious-version-number	AI (publish-pattern): Expo uses a well-known canary versioning format (X.Y.Z-canary-YYYYMMDD-githash) across their entire monorepo. This pattern is not malicious for @expo/* packages.	ai	2026/04/23
dependencies	unvetted-dep:getenv	AI (dependencies): getenv is a well-known, simple env-var utility appropriate for a package that hydrates .env files; no malicious signals and stable dependency across versions.	ai	2026/04/23
npm-metadata	no-description	AI (npm-metadata): Stub/placeholder package in the @expo scope; absence of description is expected for this version pattern.	ai	2026/04/23
npm-metadata	suspicious-initial-version	AI (npm-metadata): 0.0.0 is a namespace reservation stub in the Expo monorepo; publisher evanbacon has a strong track record and 160 versions exist in the registry.	ai	2026/04/23
provenance	publisher-changed	AI (provenance): brentvatne is a core Expo team member with 3497 approved packages and 3942 days of history; publisher rotation within the Expo org is expected and not a takeover signal.	ai	2026/04/23
maintainer-change	maintainer-removed	AI (maintainer-change): Maintainer removal reflects internal Expo org rotation; brentvatne is a highly trusted publisher with no adverse history.	ai	2026/04/23
bogus-package	bogus-package	AI (bogus-package): Inflated semver reflects monorepo extraction; short README and no keywords are quality issues only. Package is a legitimate Expo utility with a clear purpose and official repo.	ai	2026/04/21
typosquat	typosquat.levenshtein:ajv	AI (typosquat): @expo/env is a scoped package under the official Expo organization namespace; Levenshtein proximity to 'ajv' is purely coincidental with no plausible impersonation intent.	ai	2026/04/21

Versions (showing 40 of 40)

Show 35 prereleases

Version	Deps	Published
2.3.0	3 / 4	2026-05-20
2.2.1	3 / 4	2026-05-06
2.2.0	3 / 4	2026-05-05
2.1.2	3 / 3	2026-05-05
2.1.0	3 / 3	2026-02-08
2.0.11	5 / 3	2026-01-26
2.0.10	5 / 3	2026-01-22
2.0.9	5 / 3	2026-01-21
2.0.8	5 / 3	2025-12-05
2.0.7	5 / 3	2025-09-10
2.0.6	5 / 3	2025-09-02
2.0.5	5 / 3	2025-08-31
2.0.4	5 / 3	2025-08-27
2.0.3	5 / 3	2025-08-25
2.0.2	5 / 3	2025-08-17
2.0.1	5 / 3	2025-08-15
2.0.0	5 / 3	2025-08-13
1.0.7	5 / 3	2025-07-03
1.0.6	5 / 3	2025-07-01
1.0.5	5 / 3	2025-04-30
1.0.4	5 / 3	2025-04-25
1.0.3	5 / 3	2025-04-14
1.0.2	5 / 3	2025-04-09
1.0.1	5 / 3	2025-04-08
1.0.0	5 / 3	2025-01-08
0.4.2	5 / 3	2025-02-14
0.4.1	5 / 3	2025-01-10
0.4.0	5 / 3	2024-10-22
0.3.0	5 / 3	2024-04-18
0.2.3	5 / 3	2024-04-08
0.2.2	5 / 3	2024-03-07
0.2.1	5 / 3	2023-12-15
0.2.0	5 / 3	2023-12-12
0.1.0	5 / 2	2023-07-28
0.0.5	5 / 2	2023-06-30
0.0.4	5 / 2	2023-06-29
0.0.3	4 / 1	2023-05-08
0.0.2	4 / 1	2023-04-14
0.0.1	3 / 1	2023-04-08
0.0.0	0 / 0	2023-04-06

v2.3.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.2.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.2.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.1.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.